Getting GDPR-ready was painful, but PoPI compliance is yet to follow

Businesses across South Africa have spent the past few weeks in a last minute scramble to finalise their compliance with the European Union’s new General Data Protection Regulation (GDPR) by the 25 May deadline.

With that deadline now past, many of those companies will again turn their attention to South Africa’s Protection of Personal Information Act (PoPI). The good news is that any organisation that took its GDPR efforts seriously should be well on its way to PoPI compliance.

Like GDPR, PoPI aims to give ordinary people more control over their personal data and ensure that companies are more transparent in the way they use that data. There are a host of other similarities too, which is hardly surprising since PoPI is broadly based on the previous EU Directive which GDPR replaces.

There are, however, a few subtle differences that South African companies need to be aware of to ensure they don’t fall foul of PoPI when it (eventually) comes into effect.

The state of PoPI

At present, it’s still unclear when exactly PoPI will come into effect. Despite the fact that it was partially enacted in 2013, it still hasn’t come into effect. This is largely down to lengthy delays in appointing an Information Regulator and fully enabling its mandate and powers.

In effect, these delays have enabled companies to avoid, or delay, taking the steps necessary to become PoPI compliant. This was highlighted by the recent alleged breach of the personal information of 943 000 South Africans by a fines payment site.

The official statement from the Regulator said that due to the Act not being fully enacted, they were not able to bring the full force of the Act to bear on this incident, but would engage with the responsible party and assist with investigations.

With a renewed focus on governance and the increase in data breach events worldwide, the Act is likely to come back into focus in the near future. This, in turn, means that companies need to start getting their houses in order if they haven’t already.

GDPR gives you a headstart

Fortunately, the similarities in the two pieces of legislation mean any company that’s now GDPR compliant should be well on its way to PoPI readiness.

As we’ve already noted, the overall goals are, broadly speaking, the same. Most of the definitions, meanwhile, are very close to being the same. The appointment of a Data Protection Officer (PoPI’s Information Officer) is a similar obligation, as is the GDPR definition of a Controller (PoPI’s Responsible Party) and Processor (PoPI’s Operator).

Again, this is hardly surprising. Early drafts of GDPR were being circulated when PoPI was passed into law, and would have been referred to by PoPI’s drafters.

You still have work to do

That said, there are several notable differences between GDPR and PoPI. GDPR, for instance, has some exemptions for SMEs and deals with the concept of the right to be forgotten.

Another significant difference is in the penalties that will be imposed on organisations which fail to comply with the regulations.

GDPR fines — 20-million (R292-million) or four percent of your company’s annual turnover — are much larger than PoPI’s R10-million. Anyone found guilty of committing criminal acts with personal information could face prison time under PoPI, while the EU considers this a matter for individual states.

Because PoPI was modeled closely on the regulations that GDPR replaces, the differences are largely weighed in the latter’s favour.

Some differences require individual attention. For example, PoPI’s protection of legal entities (not just individuals), something which GDPR does not provide for. Consequently, South African organisations need to ensure that the information they have about vendors, suppliers, and partners is processed in according to PoPI requirements.

Tech can help

While keeping up with regulatory requirements like PoPI and GDPR can seem like a massive headache, it’s worth bearing in mind that technology has kept in step with global data privacy requirements. As such, an organisation can meet its record-keeping obligations by selecting the right data/document processing application that has been built with data protection in mind — commonly known as privacy by design.

Choosing the right data and document processing apps won’t get you through every single regulatory hoop, but it’ll go a long way to ensuring that you’re compliant, while saving you a lot of time and effort.

Author | Alison Treadaway

Alison Treadaway is a director at Striata, a digital communications specialist. Treadaway joined Striata in 2002 and served as managing director of the African region for 13 years. Prior to this, her experience in Internet-related solutions included marketing and sales positions at Internet Solutions and Dimension Data. Her... More